Integration with Gluu OpenID

sugar · October 27, 2021, 06:40:56 AM

I have installed roundcube 1.5.0
and I want to integrate it with Gluu 3.1.6 by OpenID Connect.

I just configure OAuth in config.inc.php

Code Select


$config['assets_path'] = '/';
$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'MyIDService';
$config['oauth_client_id'] = '---myclientid---';
$config['oauth_client_secret'] = '---myclientsecret---';
$config['oauth_auth_uri'] = 'https://glu/oxauth/restv1/authorize';
$config['oauth_token_uri'] = 'https://glu/oxauth/restv1/token';
$config['oauth_identity_uri'] = 'https://glu/oxauth/restv1/userinfo';
$config['oauth_scope'] = 'openid email profile';
$config['oauth_verify_peer'] = true;
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = null;
$config['oauth_login_redirect'] = false;

but now, Gluu auth is successful but after I was returned to RoundCube login screen, and I can't get access to my mail.

Please help, I don't know where is roundcube logs.

sugar · October 28, 2021, 04:14:00 AM

Now I have an error 401 by request token

RoundCube config.inc.php

Code Select

$config['assets_path'] = '/';
$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'Gluu';
$config['oauth_client_id'] = '@!8533.87B8.9339.0918!0001!CD6C.0A70!0008!76CD.B7B6.CE69.854C';
$config['oauth_client_secret'] = 'supersecret';
$config['oauth_auth_uri'] = 'https://gluu.local/oxauth/restv1/authorize';
$config['oauth_token_uri'] = 'https://gluu.local/oxauth/restv1/token';
$config['oauth_identity_uri'] = 'https://gluu.local/oxauth/restv1/userinfo';
$config['oauth_scope'] = 'openid email profile';
$config['oauth_verify_peer'] = true;
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = null;
$config['oauth_login_redirect'] = false;
#$config['oauth_auth_parameters'] = ['access_type' => 'offline', 'prompt' => 'consent'];
#$config['redirect_uri'] = 'https://mymail.local';

OPENID CONNECT CLIENTS DETAILS

Code Select

- **Name:** mymail.local
- **Client ID:** @!8533.87B8.9339.0918!0001!CD6C.0A70!0008!76CD.B7B6.CE69.854C
- **Subject Type:** pairwise
- **Expirattion date:** Mon Oct 27 00:00:00 UTC 2121
- **ClientSecret:** supersecret
- **Application Type:** web
- **Persist Client Authorizations:** true
- **Pre-Authorization:** false
- **Authentication method for the Token Endpoint:** client_secret_basic
- **Logout Session Required:** false
- **Include Claims In Id Token:** true
- **Disabled:** false
- **Login Redirect URIs:** [https://mymail.local/index.php/login/oauth]
- **Scopes:** [email, openid, profile, user_name]
- **Grant types:** [authorization_code]
- **Response types:** [code]

Code Select

https://gluu.local/oxauth/restv1/token POST HTTP/1.1 code=556a3622-d441-4a52-ae54-2e9aced9d757&client_id=%40%218533.87B8.9339.0918%210001%2
1CD6C.0A70%210008%2176CD.B7B6.CE69.854C&client_secret=supersecret&redirect_uri=https%3A%2F%2Fmymail.local%2Findex.php%2Flogin%2Foauth&grant_type=authorization_code 401

Code Select

{"error":"invalid_client","error_description":"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client."}

alec · October 28, 2021, 04:20:10 AM

Quote
- **Authentication method for the Token Endpoint:** client_secret_basic

This looks suspicious, what other options do you have there?

sugar · October 28, 2021, 05:59:25 AM

with client secret_post the same situation, 401

all options:

Code Select

client_secret_basic
client_secret_post
client_secret_jwt
private_key_jwt
none

I add header to request in rcmail_oauth.php with authorization and now gluu error changed to

Code Select

{"error":"invalid_grant","error_description":"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}

sugar · October 28, 2021, 06:17:55 AM

now, I was got error here:

Code Select

$rcmail->login($auth['username'], $auth['authorization'], $storage_host, true)
this login failed

in logs roundcube imap.log I have errors

Code Select

A0002 NO [ALERT] Unsupported authentication mechanism.

alec · October 28, 2021, 06:39:52 AM

Is your IMAP server configured with XOAUTH2 support? If not, this ain't gonna work. Enable imap_debug to see what's going on on the imap communication level.

sugar · October 28, 2021, 07:03:08 AM

round cube imap.log

Code Select


[28-Oct-2021 14:01:39 +0300]: <jqr59ao3> [3DA0] Connecting to ssl://mail.mymail.local:993...
[28-Oct-2021 14:01:39 +0300]: <jqr59ao3> [3DA0] S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=XOAUTH2] Dovecot (Ubuntu) ready.
[28-Oct-2021 14:01:39 +0300]: <jqr59ao3> [3DA0] C: A0002 AUTHENTICATE ****** [110]
[28-Oct-2021 14:01:43 +0300]: <jqr59ao3> [3DA0] S: + some longlong secret code
[28-Oct-2021 14:01:43 +0300]: <jqr59ao3> [3DA0] C: ****** [-2]
[28-Oct-2021 14:01:45 +0300]: <jqr59ao3> [3DA0] S: A0002 NO [AUTHENTICATIONFAILED] Authentication failed.

dovecot.log

Code Select

dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=XOAUTH2, rip=192.168.5.4, lip=192.168.5.4, TLS, session=<2yQkEGjPdpBf2OiF>

Code Select

mail dovecot: auth: Debug: auth client connected (pid=10631)
mail dovecot: auth: Debug: client in: AUTH#0111#011XOAUTH2#011service=imap#011secured#011session=LuJqy2jPtrBf2OiF#011lip=192.168.5.4#011rip=192.168.5.4#011lport=993#011rport=45238#011local_name=mail.mymail.local#011resp=dXNlcj1hLmVzZW5raW5AaW52b2x0YS5ydQFhdXRoPWJlYXJlciAzZjFhYmU4ZC1hZDFhLTRmODMtOTYyNy0wM2JjMDQ4MTdlZTEBAQ== (previous base64 data may contain sensitive data)
mail dovecot: auth: Debug: sql([email protected],192.168.5.4,<LuJqy2jPtrBf2OiF>): query: SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE mailbox.username='[email protected]' AND mailbox."enableimapsecured"=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1
mail dovecot: auth: sql([email protected],192.168.5.4,<LuJqy2jPtrBf2OiF>): Password mismatch
mail dovecot: auth: Debug: sql([email protected],192.168.5.4,<LuJqy2jPtrBf2OiF>): SSHA512(3f1abe8d-ad1a-4f83-9627-03bc04817ee1) != 'pfMG7ocjyKYmTuezDRs7iczG2dXYxGA7FWc8KxBVfvsrrNbYqu2BkwyxBErXbAQiJcI3hmiZ+Q5llAnbjLDWqeHaN0g='
mail dovecot: auth: Debug: client passdb out: CONT#0111#011eyJzdGF0dXMiOiI0MDEiLCJzY2hlbWVzIjoiYmVhcmVyIiwic2NvcGUiOiJtYWlsIn0=
mail dovecot: auth: Debug: client in: CONT#0111#011 (previous base64 data may contain sensitive data)

Code Select

dovecot: auth: Debug: client passdb out: FAIL#0111#[email protected]

I add XOAUTH2 to mechanisms in dovecot.conf
I'm use dovecot 2.2.33.2 version

Code Select

# Authentication mechanisms.
auth_mechanisms = PLAIN LOGIN XOAUTH2

sugar · October 28, 2021, 09:24:57 AM

my dovecot service working with sql

Code Select

passdb sql {
    driver = sql
    args = /etc/dovecot/mysql-auth-default.conf.ext
}

how I can use it together?! with oauth2

my old web-client worked perfectly with php-oauth2 library, but roundcube hard to integrate with oauth2...